Section-by-Section Summary of H.R. 4978, the Online Privacy Act 

Congresswomen Anna Eshoo and Zoe Lofgren 


Section 1. Short Title; Table of Contents 

Sec. 2. Definitions [Only select definitions are included here.] 

1. Covered Entity —Any entity (including nonprofits and common carriers) that 
intentionally collects, processes, or maintains personal information AND transmits 
personal information over an electronic network. Does not include natural persons acting 
noncommercially 

2. Service Providers —A service provider is a covered entity that processes, discloses, and 
maintains personal information at the direction of and for the benefit of another covered 
entity, and does not: 

a. Directly collect personal information from an individual; earn revenue from 
personal information except through the offering of services to the covered entity 
providing the personal information; disclose personal information to a covered 
entity unless that covered entity original disclosed it; offer services targeting 
individuals with personal information not provided by the covered entity; or link 
the personal information. 

b. A service provider must also assist the covered entity in its compliance with 
Title I 

3. Small Business —Entity that: does not earn revenue from the sale of personal 
information, earns less than half of annual revenue from targeted adverting, has personal 
information of fewer than 250,000 individuals, has less than 200 employees, and has 
revenue under $10 million. 

4. Personal Information —Any information that is linked or reasonably linkable to a 
specific individual, includes deidentified personal information. Personal Information does 
not include: 

a. Publicly available information related to an individual. 

b. Information derived from personal infonnation that can’t be linked back to an 
individual (e.g., a result or calculation from aggregate data). 

5. Deidentified Personal Information —Information that cannot reasonably identify, relate 
to, describe, reference, or be linked to an individual or device; has been deidentified 
using best practices; cannot be reidentified because technical and business processes to 
prevent reidentification are in place; and no attempt is made to reidentify. The Agency 
can make a determination that certain deidentification techniques are insufficient to 
qualify as deidentified personal information. 

6. Publicly Available Information— 

a. includes published government documents (as long as the documents are used for 
a compatible purpose); widely available information about public individuals and 
officials; and information made widely available by that individual. 

b. Does not include: biometric information; information used to contact or locate a 
private individual physically or electronically; or personal information obtained 
from government records for the purpose of selling it. 
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7. Privacy Harm —Potential harms from data collection, processing, or disclosure, 
including: financial loss/economic harm; physical harm; psychological harm; adverse 
impact on rights or benefits like employment, housing, etc.; reputational harm; price 
discrimination; adverse consequences from collection or use of information that there 
was a reasonable expectation that it would not be collected; chilling of free expression or 
action of individuals or society due to perceived or actual pervasive and excessive 
privacy violations; impairing the autonomy of an individual or society generally; and 
others as determined by the Agency. 

8. Significant Privacy Harm —A direct or indirect financial loss or economic harm; 
physical harm; or adverse impact on rights or benefits like employment, housing, etc. 

9. Agency — New agency established under Title III. 

10. Disclosure — Sell, release, transfer, share, disseminate, make available, or otherwise 
communicate electronically to a third party. 

11. Sale —The disclosure of personal information for monetary consideration by a covered 
entity to a third party for the purpose of processing or disclosing such personal 
information at the third party’s discretion. Does not include disclosures to 
affiliates/subsidiaries; to third parties with a relationship with the individual that 
comports with that individual’s expectations; and mergers where personal information is 
less than half the value of assets. 

12. Reasonable Mechanism —A mechanism for exercising user rights or interacting with 
covered entities is “reasonable” if it is equivalent to the primary means the user uses for 
interacting with the covered entity. All user rights must have a “reasonable mechanism” 
available to exercise them. 

13. Protected Class —The actual or perceived race, color, ethnicity, national origin, religion, 
sex (including sexual orientation and gender identity), familial status, or disability of an 
individual or group of individuals. 

14. Behavioral Personalization— 

a. Processing of personal information using an algorithm built using that 
individual’s (or similar individuals’) personal infonnation collected over time to: 
influence or predict behavior; or tailor, personalize, filter, sort, promote, or 
display content. 

b. Does not include the use of historical personal information to merely prevent the 
display of or provide additional information about previously-accessed content. 

15. Privacy Preserving Computing— 

a. The collecting, processing, disclosing, or maintaining of personal information that 
has been encrypted or otherwise rendered unintelligible using a means that cannot 
be reversed by a covered entity, or a covered entity’s service provider, such that 
processing can still occur on the personal information and a result returned that is 
only accessible to the requesting individual. 

b. The Agency can make a determination that certain techniques are insufficient to 
qualify as privacy preserving computing. 
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Sec. 3. Prohibition on Waivers 

No provision under this Act may be waived or modified, and any contract purporting to do so 
is void. No predispute arbitration agreement shall be valid or enforceable with respect to 
claims under this Act. 

Sec. 4. Effective Date 

The Act takes effect one year after enactment. 

Sec. 5. Journalism Exception 

a. Covered entities shall not be subject to the obligations imposed under this Act that 
directly infringe on journalism (rather than other business practices), so long as there are 
safeguards against using the information for non-joumalism purposes. 

b. Journalism includes the collecting, maintaining, processing, and disclosing of personal 
information about a public individual or official, or that otherwise concerns matters of 
public interest, for dissemination to the public. 

Sec. 6. Small Business Compliance Ramp 

A former small business has nine months to fully comply with this act upon losing its small 
business status. 

Sec. 7. Criminal Prohibition on Disclosing Personal Information 

Criminal prohibition on disclosing personal information of an individual with the intent: 

a. to threaten, intimidate, or harass such individual (i.e., doxing); or 

b. that others will threaten, intimidate, or harass such individual; 
shall be fined under this title or imprisoned not more than five years, or both. 

Sec. 8. Limitation on Disclosing Non-Redacted Government Records 

Prohibits government entities from disclosing personal information of an individual in 
records without prohibiting the recipient of such information from selling it without the 
express consent of the individual for each disclosure. Exception for government-to- 
govemment disclosures. 


TITLE I - USER RIGHTS 

Sec. 101. Right of Access 

User must have access to: 

a. all categories of personal information a company maintains about that user, even 
information received from third parties. (Portability rights grant ability to 
download specific data). 
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b. a list of third-parties (includes affiliates/subsidiaries) the personal information has 
been disclosed to and where the entity has received the personal information 
from. 

c. a concise clear description of business purpose for 
collecting/processing/disclosing of person information (does not apply to small 
businesses). 

d. a list of automated decision-making processes that an individual has a right to 
request human review of under Section 105 with descriptions of the implications 
and intended effects of such process. 

Sec. 102. Right of Correction 

a. User has the right to dispute the accuracy or completeness of personal information if 
improper use of that information creates or increases significant privacy harms. 

b. Section does not apply to small businesses. 

Sec. 103. Right of Deletion 

User has the right to request deletion of personal information both directly collected by the 

covered entity and information received from third parties. 

Sec. 104. Right of Portability 

a. For covered entities determined by the Agency to be in a “portable category” (i.e. 
categories of services that: benefit from encouraging increased competition, have less 
than three competitors, or have a Herfindahl-Hirschman >= 2,000; and have more than 10 
million users), they must provide two types of data portability: 

i. Ability to download in a machine-readable format all of the personal information 
that individual has provided to the service. 

ii. An Application Programming Interface (API) that allows the direct transfer of all 
personal information about or related to that individual to another covered entity 
as long as that receiving entity has been “certified.” 

1. The process for certification is a self-certification framework that the 
entity is a covered entity, that the entity does and will continue to comply 
with this Act, can receive personal information under Sec. 205, and will 
only use the API at the individual’s request 

2. An API provider can deny API access on a reasonable belief that the 
covered entity has failed to meet the self-certification requirements, but 
such denials are subject to Agency review and potential penalties. 

[NOTE: data received through the API is intended to be substantially 
broader than data obtained through download and is intended to include 
information such as pictures the user has been tagged in, even if uploaded 
by a different user] 

b. Section does not apply to small businesses. 

Sec. 105. Right to Human Review of Automated Decisions 
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User has the right to request a human review of any decision made solely by an automated 

process, where that decision creates or increases significant privacy harms to that user. 

Sec. 106. Right to Individual Autonomy 

a. A covered entity may not collect, process, disclose, or maintain personal information for 
the purpose of behavioral personalization without express affirmative (“opt-in”) consent. 

b. Where consent is denied, the covered entity must provide a de-personalized version of the 
product or service. Where that’s infeasible, the covered entity must offer a core aspect of 
the product or service that can be provided de-personalized. Where no core aspect of the 
product or service can be offered de-personalized, the covered entity is not required to 
offer the service. 

c. Usability Improvement Exception 

i. Exception to express affirmative consent requirement for behavioral processing 
that increases usability so long as the data is representative of the entire user base 
and the outputs/results of the processing are uniform and independent of a specific 
individual user’s personal characteristics (e.g., age, sex, past user actions). 

[NOTE: Covered entity must still obtain consent from the standard process. This 
exception exists to allow companies to improve products and services for all 
users, using the standard consent process. Examples include using face 
recognition to find pictures of family on your phone, improving search results 
dependent only on the search term and independent of past search history.] 

ii. Usability does not mean increasing the addictiveness or amount of time spent on 
the product or service. 

d. Section does not apply to small businesses. 

Sec. 107. Right to be Informed 

A covered entity that collects the personal information of an individual it does not have an 

existing relationship with must (if possible) notify the individual of that collection. 

Sec. 108. Right to Impermanence 

a. A covered entity may not maintain a category of personal information for longer than 
expressly consented to by the individual. When obtaining express affirmative consent, the 
covered entity must provide the following durations: 

i. No longer than necessary to complete the specific request/transaction (with a time 
estimate of this duration); 

ii. Until consent is revoked; 

iii. One or more additional durations based on reasonable expectations or norms for 
maintaining that category of data. 

b. Exception for implied consent, where the need for a long storage of the personal 
information is obvious on its face and a core feature of the service or product at the 
request of the individual, and it is stored only to provide that product or service. [NOTE: 
This is intended to allow for a covered entity to permanently store an individual’s 
documents, photos, contacts, messages, etc by default, but the covered entity cannot use 
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those for any other purpose than storage. For example, they cannot use your stored photos 
to improve facial recognition if they use this exception.] 

Sec. 109. Exemptions and Exceptions 

a. Title does not apply to personal information collected, processed, disclosed, or 
maintained for the following purposes (as long as technical safeguards and business 
processes limit collection, processing, disclosure, and maintenance to these purposes): 

i. Detecting, responding to, or preventing cybersecurity incidents; 

ii. Protecting against malicious, deceptive, fraudulent or illegal actively; 

iii. Complying with specific law enforcement requests or court orders; 

iv. Protecting a legally-recognized privilege or other legal right; 

v. Records about employees or employment status collected and used by that 
employee’s employer for employer-employee purposes (so long as it’s the kind of 
personal information one would expect to be collected while working and didn’t 
come from a third party); 

vi. Preventing prospective abuses of a service by an individual whose account has 
been previously terminated; 

vii. Necessary for routing a communication through a communications network, or 
for resolving the location of a host or client on a communications network. 

b. Reidentification—Where compliance with this title would require the reidentification of 
de-identified personal information, and the covered entity does not already maintain the 
information necessary for such reidentification, the covered entity shall be exempt from 
such compliance, except for with Sec. 106. [NOTE: This is meant to encourage covered 
entities to delete personal information that could be used for reidentification. 

Additionally, without this exception a covered entity would be required to get personal 
information from a third-party to comply with Title I.] 

c. If a covered entity exercises the exemptions above, it must disclose in a privacy policy 
what information is collected, processed, disclosed for that exempted purpose and what 
rights do not apply. 

d. Exceptions for specific requests—covered entity may deny a request under this title if— 

i. An individual’s identity cannot be confirmed; 

ii. A covered entity is prohibited by law from complying with the request, or 
denying the request is necessary to protect a legally-recognized right or 
privilege; 

iii. Granting the request would create a legitimate risk of privacy, security or safety 
of another; 

iv. Granting the request would create a legitimate risk to free expression; or 

v. For deletion or correction requests: personal information is necessary for the 
completion of a transaction or contract initiated before the request and collected 
specifically solely for that; or would undermine the integrity of a legally- 
significant transaction. 
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e. If a covered entity denies a request under this Title, it shall, within 30 days, inform such 
individual of the reason for such denial. 

f. Title I does not apply to service providers. 

g. Except for Sections 101, 105, 106, and 108 this title does not apply to personal 
information secured using privacy preserving computing. [NOTE: This is meant to 
encourage the adoption of privacy preserving computing and to not undermine the 
protection it provides. Individuals still have access to categories of data collected, the 
right to review automated decisions, the prohibition on behavioral personalization, and 
fee prohibitions.] 

h. Fees—Covered entity may not charge a fee for exercising the above rights, except if a 
request is determined to be unfounded or excessive, then they can charge reasonable 
administrative costs. 


TITLE II - PRIVACY AND SECURITY REQUIREMENTS 
Sec. 201. Data Minimization 

Collection, processing, disclosure and maintenance of personal information shall have a 
reasonable, articulated basis that takes into account reasonable business needs of the covered 
entity and the minimum amount of personal information needed to provide the product or 
service balanced with the potential privacy harms and reasonable expectations of privacy. 

a. Minimization Collection —A covered entity may not collect more than is 
reasonably needed to provide the product or service the user has requested. 

b. Minimization of Processing —A covered entity may not process personal 
information for a purpose other than the purpose it was originally collected for. 

c. Minimization of Disclosure —A covered entity may not disclose personal 
information for a purpose other than the purpose for which such information was 
originally collected. 

d. Minimization of Maintenance —Covered entity may not store personal 
information for longer than necessary for the original purpose of collection. 

e. Ancillary Collection, Processing, Retention —Collection, processing, 
disclosure, and maintenance beyond the limitations of (a)-(d) may occur under the 
following conditions: 

i. No consent needed for collection, processing, or maintenance of personal 
information substantially similar to the original purposes of their 
collection processing or maintenance. 

ii. Notice is required for ancillary collection, processing, disclosure, and 
maintenance if it would either result in increased potential for privacy 
harms (but not significant privacy harms) or is not substantially similar to 
original purpose (but not both). 

However, if using privacy preserving computing collection, processing, 
maintenance, or disclosure can both result in increased potential for 
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privacy harms (but not significant privacy harms) and not be substantially 
similar to the original purpose. 

iii. Notice and consent is required if ancillary collection, processing, 

disclosure, and maintenance is not substantially similar and would result 
in increased potential for privacy harms (Sec. 212 exceptions for implied 
consent and privacy preserving computing do not apply to this category). 

f. Substitution—Where personal information can be obscured or replaced with an 

equivalent substitution without substantially reducing its utility, a covered entity shall do 
so. 

Sec. 202. Employee Access Minimization. 

a. Access to personal information by employees or contractors shall be restricted based on 
an articulated balance between potential for privacy harm and reasonable business needs. 

b. A covered entity (excludes small businesses) shall maintain records identifying each 
instance when an employee or a contractor accesses content of communications or 
personal information if the disclosure or breach could result in substantially increased 
privacy harms. Such records include employee, date/time, and field of data accessed. 

Sec. 203. Prohibition on Collection or Maintenance of Personal information 

Covered entity is prohibited from collecting or storing personal information using a means of 
interstate commerce, unless it complies with this Act. 

Sec. 204. Prohibitions on Disclosure of Personal Information 

a. May not intentionally disclose personal information without notice and consent. 

i. Disclosures must include the original purpose the information was collected for. 

ii. Notice is sufficient for personal information that has been de-identified using best 
practices and where disclosure is limited to narrowest scope for intended benefits 
and contractual obligations limit its processing. 

iii. Notice is sufficient if information is secured using privacy preserving computing. 

b. May not sell personal information without the express consent of the individual for each 
sale. (Does not apply to lead-generating and aggregation services requested by user). 

c. Disclosures for advertisements: 

i. may not include personal information that would allow the linking of past or 
future disclosures; and 

ii. may include: truncated IP; truncated geolocation; general description of 
device/browser; and identifier that is unique to each disclosure. 

Sec. 205. Disclosing to Entities Not Subject to US Jurisdiction 

a. May not disclose personal information to an entity not subject to this Act or to U.S. 
jurisdiction. 

i. Exception for personal information that is an identifier created primarily for 
sending/receiving communications at the request of the individual and solely 
disclosed for that purpose. 
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ii. Safe Harbors—Allow for the disclosure of personal information to a foreign 
entity: 

1. Agency Contract 

a. Disclosing entity must have reasonable belief that the foreign 
entity is complying with this Act; is solvent enough to pay fines; 
agrees to follow this Act; and has an agreement with the Agency 
under (b). 

b. Foreign entity enters into an agreement with the Agency where it 
agrees to comply with this Act, voluntarily subject itself to US 
jurisdiction for this Act, and agrees to pay fees if the Agency is 
required to enforce judgement in a foreign court. 

2. Private Contract 

a. Disclosing covered entity enters into a contract with a foreign 
entity where the foreign entity agrees to: comply with this Act, pay 
damages for violations when the covered entity cannot; gives 
covered entity the right to audit and inspect compliance; assists 
covered entity in compliance; and not use information for non- 
contracted purposes. 

b. Covered entity must: have knowledge of compliance and solvency 
of the foreign entity; have an auditing and compliance program for 
the foreign entity; and submit the above to the Agency for 
approval. 

c. Covered entity must have an agreement with the Agency that it 
will be the point of contact for all individual requests, and agency 
and court orders intended for the third-party regarding data it 
disclosed. 

3. If using safe harbor (2), the covered entity shall be jointly liable for all 
violations involving the disclosed personal information by the foreign 
entity, except where the covered entity is first to disclose a violation by the 
foreign entity, then it will be severally liable. Where a covered entity had 
reason to know there was a violation and did not report it, it will be 
considered a continuing violation for every day it fails to report. 

b. Rule of construction against data localization— Nothing shall be construed to require the 
localization of personal information to within the United States, or limit internal 
disclosure of personal information within a covered entity regardless of the country in 
which the covered entity will process, disclose, or maintain personal information. 

Sec. 206. Prohibition on Reidentification 

a. A covered entity shall not use personal information or publicly available information to 
reidentify an individual. 

b. Exception for qualified research entities. 

Sec. 207. Restriction on Communications Content 
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a. May not collect, process, disclose, or maintain communications content for any purpose 
other than— 

i. Transmission, storage, display for sender or recipient; 

ii. Legitimate cybersecurity purposes that don’t require disclosing encryption keys or 
forced decryption; 

iii. Providing drafting assistance services (e.g., auto correct or grammar check); 

iv. Processing that is expressly requested by the sending or receiving party, as long as 
consent can be withdrawn; 

v. Filtering of commercial communications/spam; 

vi. Detecting or enforcing an abuse or violation of the service’s terms of service that 
would result in either a temporary or permanent ban from using the service; and 

vii. A disclosure required by law. 

b. Exception for publicly available communications— (a) shall not apply when the contents 
of communication are made publicly accessible by the sender without restrictions on 
accessibility, other than the general authorization to access the services used to make the 
information accessible. [NOTE: This exception means publicly-broadcasted messages, 
like public tweets or comments on articles, are not protected] 

c. Encryption Protection—A covered entity my not prevent encryption of a communication 
by an individual nor require an individual to decrypt or provide the means to decrypt a 
communication. 

d. A service provider is not liable for a violation if it is acting at the direction of and on 
behalf of a covered entity. 

Sec. 208. Prohibition on Discriminatory Processing 

a. A covered entity shall not process personal information or contents of communication for 
employment, finance, healthcare, credit, insurance, housing, or education opportunities in 
a manner that discriminates on the basis of an individual’s protected class status. 

b. A covered entity shall not process personal information in a manner that segregates, 
discriminates, or otherwise makes unavailable the goods, services, or accommodations of 
any place of public accommodation on the basis of a person's or a group’s protected class 
status. 

Sec. 209. Restrictions on Genetic Information 

a. May not collect, process, disclose, or store genetic information for any purpose other 
than— 

i. Providing medical treatment or testing to the individual; 

ii. Medical, historical, or population research and services. Genetic information may 
only be disclosed to qualified research entities and additionally disclosed personal 
information must be limited to the narrowest possible scope likely to yield the 
intended benefit. There must be contractual obligations in place that limit the 
kinds of other data sets that can be processed with the disclosed information; 
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iii. A purpose determined by the Agency after a rulemaking that takes into account 
the potential privacy harms and potential benefits of such collection, processing, 
or storage; or 

iv. Another purpose required by law. 

b. A service provider is not liable for a violation if it is acting at the direction of and on 
behalf of a covered entity. 

Sec. 210. Requirements for Notice and Consent Process 

a. The Agency shall establish a minimum threshold of the percentage of users who must 
read and understand a privacy policy and a notice and consent process. 

b. A covered entity shall make available a reasonable mechanism to revoke consent. 

c. Covered entity may submit their study/data to demonstrate (a) to the Agency. If 
approved, the entity will receive a safe harbor. Agency shall publish approved UX’s. 

d. A small business may freely use the approved consent/notice process of another entity. 

e. A small business cannot be penalized for failure to objectively show compliance with (a), 
(b), and (c), where there is no approved consent/notice process that is reasonably 
applicable to its business. 

Sec. 211. Prohibition on Deceptive Notice and Consent Processes, and Privacy Policies 

In providing notice, obtaining consent, or maintaining a privacy policy as required by this 
title, a covered entity may not intentionally take any action that substantially impairs, 
obscures, or subverts the ability of an individual to: understand the contents of such notice or 
such privacy policy; understand the process for granting such consent; make a decision 
regarding whether to grant or withdraw such consent; or act on any such decision. 

Sec. 212. Notice and Obtaining Consent 

a. Must provide an individual with notice of the personal information it collects, processes, 
stores, and discloses through a process that is concise, and clear and can be objectively 
shown to meet metrics established by the Agency under Sec. 210. 

b. May not collect or process personal information that creates or increases the risk of 
foreseeable privacy harms without consent that is concise and clear and can be 
objectively shown to meet metrics established by the Agency under Sec. 210. 

i. Exception for “implied consent” where consent is obvious and necessary on its 
face for providing the service (e.g., car sharing app needs geolocation to send you 
a car, but doesn’t need it to track you when not on a ride) 

ii. Exemption for privacy preserving computing— Except in section 106, express 
consent is not required for collection, processing, or maintenance of personal 
information secured using privacy preserving computing. Nothing in this 
paragraph exempts the covered entity from the requirement to provide notice. 

c. A service provider is not liable for a violation if it is acting at the direction of and on 
behalf of a covered entity. 

Sec. 213. Privacy Policy 
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a. Covered entity shall make available its privacy policy in plain language that can be 
objectively shown to meet metrics established by the Agency under Sec. 210 and it shall 
contain: 

i. Practices of the entity regarding collection, processing, storage, and disclosure; 

ii. How users may exercise their Title I rights; 

iii. Categories of personal information collected/processed; 

iv. List of personal information entity maintains; 

v. List of third parties entity has received information from and to which it disclosed 
information; and 

vi. Articulated basis for the collection, processing, disclosure and maintenance of 
personal information, as required under section 201. 

b. A service provider is not liable for a violation if it is acting at the direction of and on 
behalf of a covered entity. 

Sec. 214. Information Security Requirements 

The Agency, in consultation with the National Institute of Standards and Technology (NIST), 
shall promulgate regulations to require a covered entity to implement reasonable information 
security policies and procedures for the protection of personal information. 

a. These policies shall consider the covered entity’s activities, sensitivity of personal 
information, state of the art of safeguards, and costs. 

b. The policies shall include a security policy, identifying an information security 
officer, a process to mitigate vulnerabilities, a process to discard unneeded 
personal information, employee training, and a data breach response plan. 

c. The Director, in consultation with NIST, the Small Business Administartion 
(SBA), and small businesses, shall develop policy templates, toolkits, tip sheets, 
configuration guidelines for commonly-used hardware and software, interactive 
tools and other materials to assist small businesses with complying with this 
section. 

Sec. 215. Notification of Data Breach or Data Sharing Abuse 

In the case of a data breach or data-sharing abuse with respect to personal information, a 
covered entity shall: 

a. Notify the agency within 72 hours after becoming aware of such incident; 

b. Notify covered entities if breached or abused personal information was obtained 
from another covered entity, unless the breach or abuse is unlikely to create or 
increase foreseeable privacy harms, within 72 hours; and 

c. Notify an individual, if the covered entity has a relationship with the individual, 
within 14 days, unless the breach or abuse is unlikely to create or increase 
foreseeable privacy harms, using the same medium an individual routinely 
interacts with such covered entity and one additional medium, where possible. 


12 




Section-by-Section Summary of H.R. 4978 the Online Privacy Act (Eshoo and Lofgren) 


TITLE III - DIGITAL PRIVACY AGENCY 
Sec. 301. Establishment 

Establishes the United States Digital Privacy Agency with both principal and field offices. 
The Director is appointed by the President and confirmed by the Senate that serves a five- 
year term. The President may remove the Director with cause. 

Sec. 302. Executive and Administrative Powers 

The Agency has independence and has the authority to carry out its duties under this Act. 

This authority is largely vested in the Director. 

Sec. 303. Rulemaking Authority 

The Director may prescribe rules and issue orders and guidance, as may be necessary or 
appropriate to enable the Agency to administer and carry out the purposes and objectives of 
this Act, and to prevent evasions thereof. 

Sec. 304. Personnel 

The Agency shall: 

a. Employ technologists, designers, attorneys, investigators, economists and other 
employees as may be deemed necessary. 

b. Establish an ombudsman as a liaison for affected persons. 

Sec. 305. Complaints of Individuals 

a. The Agency shall have a unit dedicated to collecting, monitoring, and responding to 
individual’s complaints. 

b. The Agency will create a mechanism to electronically share complaints from its 
complaint system to the appropriate state agencies. The Agency must share complaints 
with the appropriate federal and state agencies. 

Sec. 306. User Advisory Board 

Creates the “User Advisory Board” to advise the Agency. Members of the board shall 
include experts in consumer protection, privacy, civil rights, and ethics, as well as 
representatives of the user community. Non-federal-employee members of the board will 
receive compensation and travel expenses for their participation. 

Sec. 307. Academic and Research Advisory Board 

Creates the “Academic and Research Advisory Board” to advise the Agency. Members of the 
board shall include experts in privacy, cybersecurity, computer science, innovation, 
economics, law, and public policy. Non-federal-employee members of the board will receive 
compensation and travel expenses for their participation. 

Sec. 308. Small Business and Investor Advisory Board 

Creates the “Small Business and Investor Advisory Board” to advise the Agency. Members 
of the board shall include representatives of small businesses and investors in small 
businesses. Non-federal-employee members of the board will receive compensation and 
travel expenses for their participation. 

Sec. 309. Consultation 
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The Director shall consult with relevant federal and state agencies, state attorneys general, 
relevant international and intergovernmental bodies, and agencies of other countries that are 
similar to the Agency, to promote consistent regulatory treatment of the activities of covered 
entities relating to the privacy or security of personal information. 

Sec. 310. Reports 

The Agency must submit a report twice a year to the President, House Energy and 
Commerce, Judiciary, and Appropriations Committees, and Senate Commerce, Judiciary, and 
Appropriations Committees that covers significant privacy or security problems encountered 
by individuals, budget justifications, significant Agency developments, analysis of 
complaints received, public enforcement, and significant actions taken by the states. 

Sec. 311. Grants for Developing Open Source Machine Learning Training Data 

The Director shall establish an Open Source Machine Learning Training Data Grant Program 
to support the development of open-source, voluntarily disclosed, personal information data 
sets to be used for the training or development of machine learning and AI algorithms. 

Sec. 312. Annual Audits 

Requires an annual independent audit of the Agency’s operations and budget. 

Sec. 313. Inspector General 

Amends the Inspector General Act of 1978 to create an Office of the Inspector General 
within the Digital Privacy Agency. 

Sec. 314. Authorization of Appropriations 

Appropriates $550,000,000 for each of the fiscal years 2020, 2021, 2022, 2023, and 2024. 
[NOTE: This amount was determined by first adding together the number of employees in 
the Data Protection Agencies that report employee figures across the EU needed to enforce 
their data privacy law (-1,600 employees), and then looking at the funding level of similarly 
sized US Federal agencies.] 


TITLE IV - ENFORCEMENT. 

Sec. 401. Definitions 

Defines terms specific to this title. 

Sec. 402. Investigations and Administrative Discovery 

The Agency may conduct investigations, subpoena for testimony or documents, and issue 
civil investigative demands, and must treat investigation documents confidentially. 

Sec. 403. Hearings and Adjudication Proceedings 

The Agency may conduct hearings and adjudication proceedings to ensure or enforce 
compliance of this Act. The Agency may issue cease-and-desist orders, and temporary cease- 
and-desist orders if continued actions during a proceeding may result in insolvency of an 
affected person or prejudice consumer interest. 

Sec. 404. Litigation Authority 
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The Agency may commence a civil action to impose a civil penalty or to seek all appropriate 
legal and equitable relief, including permanent or temporary injunction. 

Sec. 405. Coordination with other Federal Agencies 

a. To the extent that federal law authorizes the Agency and another agency to enforce 
privacy laws, the agencies shall coordinate to promote consistent enforcement. 

b. Other agencies may refer violations of this Act to the Agency. 

c. The Agency and the FTC shall negotiate an agreement for coordinating enforcement 
of privacy laws. 

Sec. 406. Enforcement by States 

State Attorneys General may bring civil action as parens patriae, on behalf of residents of the 
state. A state attorneys general must notify the Agency, and the Agency may intervene. 
Agency action shall preempt state action. 

Sec. 407. Private Rights of Action 

a. Injunctive Relief — A person who is aggrieved by a violation of this Act may bring a 
civil action in an appropriate district court for declaratory or injunctive relief with respect 
to the violation. 

b. Civil Action For Damages — Except for claims under rule 23 of the Federal Rules of 
Civil Procedure or a similar judicial procedure authorizing an action to be brought by one 
or more representatives, a person who is aggrieved by a violation of this Act may bring a 
civil action for damages in any court of competent jurisdiction in any state or in an 
appropriate district court. [NOTE: (b) allows for a single person to bring a suit for 
damages, but not a class or collection action.] 

c. Non-Profit Collective Representation —An individual shall have the right to appoint a 
non-profit body, organization, or association that has objectives which are in the public 
interest, and is active in protecting individuals’ privacy rights to lodge the complaint on 
his or her behalf to exercise the rights referred to in this Act. 

i. A non-profit may represent a class of aggrieved individuals. 

ii. A prevailing non-profit shall receive reasonable compensation for expenses, 
including attorney’s fees. 

iii. Individuals shall receive an equally-divided share of the total damages. 

iv. State Appointment —A state may provide that any body, organization or 
association referred to in (c), independently of an individual’s appointment, has 
the right to lodge, in that state, a complaint with the Agency and to exercise the 
rights referred to in this Act if it considers that the rights of an individual under 
this Act have been infringed. 

Sec. 408. Relief Available 

The court or the Agency has the authority to grant appropriate legal or equitable relief 
including: Rescission or reformation of contracts; refund of moneys or return of real 
property; restitution; disgorgement or unjust enrichment; monetary relief; injunctive relief; 
civil money penalties (maximum of $42,530 per individual). 
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Sec. 409. Referral for Criminal Proceedings 

The Agency shall transmit evidence of violations of federal crimes to the Attorney General. 

Sec. 410. Whistleblower Protections 

Any person who becomes aware, based on non-public information, that a covered entity has 
violated this Act may file a civil action for civil penalties, if prior to filing such action, the 
person files with the Director a written request for the Director to commence the action. 


TITLE V - RELATION TO OTHER LAWS 
Sec. 501. Relation to other Federal Law 

This law does not impact or supersede the following laws: Privacy Act of 1974; Right to 
Financial Privacy Act of 1978; Fair Credit Reporting Act; Fair Debt Collection Practices Act; 
title V of the Gramm-Leach-Bliley Act; Children’s Online Privacy Protection Act of 1998; 
chapters 119, 123, and 206 of title 18, United States Code; the General Education Provisions 
Act; Privacy Protection Act of 1980; regulations promulgated under section 264(c) of the 
Health Insurance Portability and Accountability Act of 1996; Communications Assistance for 
Law Enforcement Act; sections 222, 227, 338, or 631 of the Communications Act of 1934; 
E-Govemment Act of 2002; Paperwork Reduction Act of 1995; Federal Information Security 
Management Act of 2002; Currency and Foreign Transactions Reporting Act of 1970; 
National Security Act of 1947; Foreign Intelligence Surveillance Act of 1978; Civil Rights 
Act of 1964; Americans with Disabilities Act; Fair Housing Act; Dodd-Frank Wall Street 
Reform and Consumer Protection Act; Equal Credit Opportunity Act; Age Discrimination in 
Employment Act; Genetic Information Nondiscrimination Act; does not limit the authority of 
the Federal Communications Commission to promulgate regulations and enforce any privacy 
law not in contradiction with this Act. 

Sec. 502. Severability 

If any provisions of this Act is held unconstitutional or otherwise invalid, the validity of the 
remainder of the Act shall not be affected. 
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